Email Marketing: What You Need to Comply With Canada’s PIPEDA and CASL

You’re about to embark on an inbound marketing program. You have a shiny new website, with engaging content, optimized for conversions and leads, in the works and almost ready to launch. It’s an exciting time!

Hold on though. Does your website comply with Canada’s privacy act (PIPEDA) and anti-spam laws (CASL)? If not, then you could be viewed as a spammer and be subject to hefty fines in the thousands of dollars!


PIPEDA “applies to the collection, use or disclosure of personal information in the course of a commercial activity.” What this means is that you need to inform your customers about how you will collect, use and disclose their personal information. If you don’t you could be fined very large sums.

You Need a Privacy Policy on Your Website

A PIPEDA self assessment guide advises the following:

  • If your organization has a Web site, post your privacy policy on it. Make sure the policy covers all collections, uses, and disclosures of personal information made via the Web site itself; and
  • Take appropriate measures to notify web site users of all your organization’s online information practices, notably the use of “cookies” or other non-visible tracking tools, and explain such practices

Where Do I Get a Privacy Policy?

First, check out the Privacy Commissioner of Canada’s website. The Privacy Commissioner also offers a Privacy Tool Kit for businesses. There are many online privacy generators, however, it is best to seek legal counsel to ensure that your Privacy Policy meets the requirements of PIPEDA.

Canadian Anti-Spam Legislation (CASL)

Now that you have your Privacy Policy, you need to make sure that any information you collect through your inbound program, meets CASL standards.

Some background: Between July 1 2014 and July 1, 2017, organizations were allowed to send Commercial Electronic Messages (CEMs) to anyone with whom they had an Existing Business Relationships (EBR) or Non-Business Relationship (Non-EBR) prior to July 1 2014. Companies were also allowed to message contacts that had “conspicuously published” their email address (i.e. showcase their email publicly on a blog).

After July 1, 2017, Implied Consent contacts may only be messaged for 2 years or 6 months, depending on the type of relationship you have with them. For example, you may email existing customers for 2 years from their purchase date, but you may only email someone that inquires about your service for 6 months from their date of inquiry

Contacts that provide Express Consent can be messaged indefinitely until they unsubscribe.

When you request email opt-in from a contact, the following is required:

  1. When requesting consent, the purpose for obtaining consent is clearly and simply stated, i.e. “subscribe to our newsletter to receive quarterly emails related to inbound marketing.”
  2. The sender or the person on whose behalf consent is requested is identified by their name, mailing address, and either a telephone number, email address or web address
  3. The recipient is informed that they can unsubscribe at any time
  4. Consent must be opt-in, not opt-out
  5. The evidence of express consent is retained. For example, file their IP address, date and time of opt-in.
  6. Consent cannot be bundled with consent for Terms and Conditions

How Marketing Automation Can Keep You Sane

Reviewing and updating your email marketing database can be a gruelling task, especially if you have a large number of contacts. Marketing automation is a practical solution for email marketing, subscriber list management, and to help companies build, manage and update contact lists. Plus, with a marketing automation application, you can easily allow contacts to unsubscribe at any time.

There are several solutions available. Some that I have used are:

Mail Chimp – you can start with a free plan which includes up to 2,000 subscribers and 12,000 emails per month

Constant Contact – offers a free trial for 60 days

Pardot (Owned by Salesforce) – on the higher end

Hubspot – on the higher end, they offer some free tools.

Other marketing automation applications you may want to investigate are Eloqua and Marketo.

With your Privacy Policy in place and your forms setup for opt-in, you are now ready to go live with your website. Congratulations!


Office of the Privacy Commissioner Canada


CRTC: Compliance and Enforcement Bulletin, Canadian Government

*Disclaimer: This blog post is my interpretation of the legislations, and based off of my research and experience. I do not intend to provide legal counsel, and if you are uncertain of any rules related to the Canadian Anti-Spam Legislation or Privacy Act, you should reach out to your lawyer.